Yuri Slobodyanyuk's blog on IT Security and Networking sharing experience and expertise

Page 2 of 24

The new era of sha-256 as opposed to sha-1 signed SSL certificates is slowly gaining the pace, not without a gentle push from the browser providers . And Checkpoint is catching up in its new version R77.30 for Open Servers.
While on both versions – 77.20 and 77.30 cpopenssl package gives the same version info they do differ:

openssl in R77.30 now supports SHA-256 certificates

It doesn’t mean earlier versions do not support SHA256 certificates – just that you cannot issue CSR requests signed with SHA256. Nevertheless, your SSL certificate provider technically is very much able to issue SHA-256 certificate based on SHA-1 signed CSR requests as both are not really related.

The difference is simple - the Local license is issued for the firewall gateway IP address, while Central license is issued and assigned to the IP address of the Management SmartCenter. In more practical terms it means you can attach/un-attach/re-attach Central license to/from Gateway(s) as many times as needed as long as IP address of the SmartCenter doesn’t change, thus allowing the same license to be used for different firewall gateways throughout the lifetime of the license or just changing IP addresses for the same gateway.
The Local license is not like that - from the beginning it is being issued by CheckPoint for a specific IP address of the firewall gateway and later if you want to change this IP address you have to ‘move’ the license to the new IP - and you can do it just 6 times, after that you have to buy a new license.

You may have for some reason, usually it is some compliance requirement (PCI DSS, HIPAA, etc), the need to log
everything that passes the firewall, regardless of the Log setting of each Security Rule. Check Point have thought of this need too - go to Global Properties -> Reporting Tools and click on Enable tracking all rules.
This will NOT interfere with the logging settings in the rule base - this works in parallel. Also
you have to specify another than current log server to send logs to,
which of course will require a separate license as well. This way you can
leave usual Security Policy logging for debug but send complete logs to
some dedicated logging server for storage and later retrieval.

This may happen usually for exceeding the limit of wrong password login trials by the administrator.
Sometimes this occurs when an administrator did not log out properly from the Smart Console for any reason - his/her PC crashed, connection to the Smart Center was lost, etc.
No worries, it is easy to fix, go to the command line of the Smart Center, then (if not already) into the expert mode and type:fwm lock_admin -u <account name>

This question comes up from time to time - can we copy logs of some SmartCenter to another server with installed SmartCenter software to view it. Usually you need this for archival storage of logs - you don’t want to keep terabytes of logs on the active SmartCenter just as archive.
The answer is yes - you can copy binary log files to another Management center or file storage to be later opened NOT in the original server.
Technically you do it as any file sync/transfer/backup of the Linux platform - what you need is all file in $FWDIR/log directory.

While Identity Awareness is relatively new to the Check Point firewalls, its ‘working horse’ is nothing but new - LDAP connection to the Active Directory Domain Controller. As quite extensive and complex component Identity Awareness earned its own tab in configurations menu but still, before you start configuring make sure that underlying Active Directory service is enabled and configured. And you do so by first enabling in Global properties “User Directory” that exists as I can remember at least since R55 there. To make it visual here is the screenshot where to find it:

The firewall itself is implemented as a bunch of kernel modules that plug into LInux kernel (2.6.18 as of R77.30) . From OSI model standpoint it plugs itself between the Data Link Layer and the Network Layer. It means Check Point can inspect any packets bearing IP addresses in their headers. It also means that it does not check/verify/care for Layer 2 information. So it cannot inspect Ethernet headers for example.

Configuring SNMP in Gaia as opposed to SPLAT has been made much simpler. So simple that it is easy to overlook that default configured read-only community is public .
So , it is a good idea to change it while enabling SNMP:
set snmp agent on
set snmp agent-version any
set snmp community public read-only

PS. Another ‘feature’ of the SNMP is that you can either enable SNMP version 1 and 2 or version 3. Trying to enable just version 2c is not possible.

Once it was a nice-to-have configuration that most ISPs in the world ignored anyway, but today it is a must if you are planning to advertise your networks via BGP through your uplink provider – your route object in the AS whois database of the uplink provider. If not – you will happily advertise your networks, the uplink provider will duly advertise them to its uplink peers, which will check AS registry database of your provider and not finding this route object will silently drop the advertising.
Of course it is duty of your transit ISP provider to update their records with your network, but after all, you are the one most interested – so as they say in Russian ” Доверяй но проверяй ” , and here is how to do it: whois -h whois.ripe.net — ‘-a -r -i or -T route AS1680’ | grep route
In this example I assume your uplink provider is Netvision with AS1680 , replace AS number with the correct one.
Output will look like:
route: 109.186.0.0/16
route: 109.253.0.0/16
route: 117.121.245.0/24
route: 138.134.0.0/16
route: 147.161.0.0/16
…

If you don’t find in such listing your network – Houston, you have a problem here.

Yesterday I had to extract some data from a CDR report for a client, namely call start time, its duration and the called number. And while I am sure Google has zillion scripts to be found, it was much faster to hack this one-liner .
The script extracts the following fields from the CDR report in this order:dateTimeOrigination – for outgoing calls it is the time the device goes off hookcallingPartyNumber – initiator of the callfinalCalledPartyNumber – the reached/dialed number (after forwarding if any)duration – duration of the call
The extracted data is placed in CSV format to be easily imported into Microsoft Excel.
Enjoy. Any questions – feel free to ask here.

Hi there, not much of a script , just the one-liner to turn output of the Secure Platform cli command route/ip route list into the ready for copy&paste list of Gaia clish commands.
Be aware I am not doing any error checking, so examine the final result before applying to a production system.
See ya.
You should run it on SPLAT cli being in expert mode.
ip route list | awk ‘/via/ {print " set static-route ",$1," nexthop gateway address " $3," on "}’

There are 50 ways to do PTR resolving in bulk,and this is just one of them. It doesn’t pretend to be the fastest/coolest/best, the only thing
I can claim – it works. So use it for pleasure and work.

[perl]

# Yuri
# 19.02.2013
# this script accepts range of IP addresses to do PTr resolving for
# the range has to be in this format: startIp-endIp.startIp-endIp.startIp-endIp.startIp-endIp.
# Only answers are printed, i.e. if there is no answer nothing is printed
use warnings;
use strict;
use Net::DNS ;